New Simple DNSCrypt install doesn't work

Comments

6 comments

  • Avatar
    rotblitz (Edited )

    See also https://support.opendns.com/hc/en-us/community/posts/115000490467

    Else visit the github site to contact the authors of the tool.  Or post screen shots of what you need help with.

  • Avatar
    mrbrunes

    Thanks for the info.

    I eventually realised that one has to click the relevant network card icon so that it is ticked to enable the resolver for that interface. Then the live log started to fill up.

    However https://welcome.opendns.com still isn't working and http://www.internetbadguys.com/ results in "We can’t connect to the server at c2eda10f06e25047de09e7e0c7ca551f2456.d0452297.id.opendns.com."

    Some output from the cmds listed:

    [code]

    >nslookup -type=txt debug.opendns.com
    Server:  localhost
    Address:  127.0.0.1

    *** localhost can't find debug.opendns.com: Non-existent domain

    >nslookup -type=txt which.opendns.com. 208.67.220.220
    Server:  resolver2.opendns.com
    Address:  208.67.220.220

    Non-authoritative answer:
    which.opendns.com       text =

            "m25.lon"
            
    >nslookup whoami.akamai.net.
        Server:  localhost
        Address:  127.0.0.1
        
        Non-authoritative answer:
        Name:    whoami.akamai.net
    Address:  74.125.73.89

    >netsh interface ipv4 show config

    Configuration for interface "Ethernet 4"
        DHCP enabled:                         Yes
        IP Address:                           169.254.219.104
        Subnet Prefix:                        169.254.0.0/16 (mask 255.255.0.0)
        InterfaceMetric:                      25
        DNS servers configured through DHCP:  None
        Register with which suffix:           Primary only
        WINS servers configured through DHCP: None

    Configuration for interface "Ethernet 5"
        DHCP enabled:                         Yes
        IP Address:                           169.254.67.211
        Subnet Prefix:                        169.254.0.0/16 (mask 255.255.0.0)
        InterfaceMetric:                      25
        DNS servers configured through DHCP:  None
        Register with which suffix:           Primary only
        WINS servers configured through DHCP: None

    Configuration for interface "Ethernet 7"
        DHCP enabled:                         Yes
        IP Address:                           192.168.0.208
        Subnet Prefix:                        192.168.0.0/24 (mask 255.255.255.0)
        Default Gateway:                      192.168.0.254
        Gateway Metric:                       0
        InterfaceMetric:                      25
        Statically Configured DNS Servers:    127.0.0.1
                                              127.0.0.2
        Register with which suffix:           Primary only
        WINS servers configured through DHCP: None

    Configuration for interface "Ethernet 2"
        DHCP enabled:                         No
        IP Address:                           169.254.123.14
        Subnet Prefix:                        169.254.0.0/16 (mask 255.255.0.0)
        InterfaceMetric:                      55
        Statically Configured DNS Servers:    None
        Register with which suffix:           Primary only
        Statically Configured WINS Servers:   None

    Configuration for interface "Loopback Pseudo-Interface 1"
        DHCP enabled:                         No
        IP Address:                           127.0.0.1
        Subnet Prefix:                        127.0.0.0/8 (mask 255.0.0.0)
        InterfaceMetric:                      75
        Statically Configured DNS Servers:    None
        Register with which suffix:           Primary only
        Statically Configured WINS Servers:   None

    [\code]

     

     

  • Avatar
    rotblitz

    "*** localhost can't find debug.opendns.com: Non-existent domain"

    This indicates that the DNSCrypt proxy doesn't forward your DNS queries to OpenDNS, but to another DNS service (74.125.73.89 = Google).  I believe you have to select something with "Cisco" from the drop-down list for "the first resolver", and do not select something for "the second resolver (optional)".  You may also need to disable the "Secondary DNSCrypt Service".

    After you did these changes, the following from your interface "Ethernet 7" may have changed
    from

    Statically Configured DNS Servers:    127.0.0.1
                                                   127.0.0.2

    to

    Statically Configured DNS Servers:    127.0.0.1        (i.e. just one DNS server entry)

    Then try to verify again with:

    nslookup -type=txt debug.opendns.com.

    One of the TXT records should show that you have DNSCrypt enabled.  The other TXT records should present the usual values from OpenDNS like server (e.g. m25) and data center location (lon = London in your case), OpenDNS network ID, account type, bundle ID, DNS flags, source IP address and port, and more.

  • Avatar
    mrbrunes

    I changed the Primary Resolver to Cisco OpenDNS and the OpenDNS test site now works! :-)

    However DNSSEC now shows a cross so I guess it is not encrypted. :-(

    Some testing shows that only the DNSCrypt.* resolvers support DNSSEC.

    The old DNSCrypt windows client running on another machine works fine with the test site.

     

    > nslookup -type=txt debug.opendns.com
    1.0.0.127.in-addr.arpa
            primary name server = localhost
            responsible mail addr = nobody.invalid
            serial  = 1
            refresh = 600 (10 mins)
            retry   = 1200 (20 mins)
            expire  = 604800 (7 days)
            default TTL = 10800 (3 hours)
    (root)  ??? unknown type 41 ???
    Server:  UnKnown
    Address:  127.0.0.1

    Non-authoritative answer:
    debug.opendns.com       text =

            "server m25.lon"
    debug.opendns.com       text =

            "flags 20 0 50 3950000000000000000"
    debug.opendns.com       text =

            "originid 9876339"
    debug.opendns.com       text =

            "actype 2"
    debug.opendns.com       text =

            "bundle 3660515"
    debug.opendns.com       text =

            "source 86.141.242.39:52452"
    debug.opendns.com       text =

            "dnscrypt enabled (713156774457306E)"

    (root)  ??? unknown type 41 ???

    >netsh interface ipv4 show config

    [snip]

    Configuration for interface "Ethernet 7"
        DHCP enabled:                         Yes
        IP Address:                           192.168.0.208
        Subnet Prefix:                        192.168.0.0/24 (mask 255.255.255.0)
        Default Gateway:                      192.168.0.254
        Gateway Metric:                       0
        InterfaceMetric:                      25
        Statically Configured DNS Servers:    127.0.0.1
                                              127.0.0.2
        Register with which suffix:           Primary only
        WINS servers configured through DHCP: None

    I had disabled the secondary DNSCrypt Service but I guess the above shows it is still active.

     

     

     

  • Avatar
    rotblitz

    "However DNSSEC now shows a cross so I guess it is not encrypted. :-("

    DNSCrypt and DNSSEC are two different things.  Cisco/OpenDNS generally do not support DNSSEC, so that's ok.
    See https://support.opendns.com/hc/en-us/search?utf8=%E2%9C%93&query=DNSSEC

    The nslookup output looks as expected now.

    "I had disabled the secondary DNSCrypt Service but I guess the above shows it is still active."

    You can check if this second resolver 127.0.0.2 is still valid:

    nslookup -type=txt debug.opendns.com. 127.0.0.2

    If it does not respond or does not use OpenDNS, you can manually remove it from your "Ethernet 7" interface.

  • Avatar
    mrbrunes

    RE: DNSSec =/= DNS Crypt, yes of course. Doh!

    I managed to get the secondary DNSCrypt service resolver removed by clicking the relevant Network Card to disable it and then clicking it again. A GUI mgmt to proxy service interaction limitation I guess.

    But after jumping (guided) through some hoops I think we're there now! Thanks again. :-)

     

Please sign in to leave a comment.